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FOREWORD 



In some ways, the cyber domain is quite different 
from the traditional operational domains of air, land, 
sea, and space. Cyber threats are stealthy and diffi- 
cult to attribute; critical infrastructures are difficult to 
defend against unseen and unpredictable adversaries. 
The 2011 Department of Defense (DoD) Strategy for Oper- 
ating in Cyberspace was a significant policy statement 
for publicly embracing cyberspace as an operational 
domain and declaring a number of strategic initia- 
tives to maintain U.S. security in the face of emerging 
cyber threats. In this monograph. Dr. Thomas Chen 
explains the strategies as they have evolved from pre- 
vious national strategies and examines each strategy 
critically for clarity, comprehensiveness, and novelty. 

This monograph contributes to an important ongo- 
ing dialogue about current policy and addresses the 
question. How should the cyber domain be managed 
so as to protect U.S. assets and interests? According 
to the DoD Strategy, defense will depend on novel 
operating concepts; partnerships between govern- 
ment and industry; international partnerships with 
allies; and investment in cyber training and research 
and development. But does the DoD Strategy go suf- 
ficiently far enough to ensure U.S. superiority in the 
cyber domain? The cyber threat landscape is con- 
stantly evolving, therefore, it is important to continu- 
ally revisit the national strategy and ask, as in this 
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monograph, whether the national strategy is ade- 
quately meeting existing and emerging challenges. 

DOUCT.AS C. LOVELACE, JR. 
Director 

Strategic Studies Institute and 
U.S. Army War College Press 
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SUMMARY 



In July 2011, the U.S. Department of Defense (DoD) 
issued the DoD Strategy for Operating in Cyberspace. It 
outlines five strategic initiatives; 

1. Treat cyberspace as another operational domain; 

2. Employ new defense operating concepts to pro- 
tect DoD networks; 

3. Partner with other U.S. government agencies 
and the private sector; 

4. Build relationships with U.S. allies and interna- 
tional partners to strengthen cyber security; and, 

5. Leverage the national intellect and capabilities 
through cyber workforce training and rapid techno- 
logical innovation. 

This monograph is organized in three main parts. 
The first part explores the evolution of cyberspace 
strategy through a series of government publications 
leading up to the DoD Strategy for Operating in Cyber- 
space. It is seen that, although each strategy has differ- 
ent emphases on ideas, some major themes recur. In 
the second part, each strategic initiative is elaborated 
and critiqued in terms of significance, novelty, and 
practicality. In the third part, the monograph critiques 
the DoD Strategy as a whole. Is it comprehensive and 
adequate to maintain U.S. superiority in cyberspace 
against a rapidly changing threat landscape? Short- 
comings in the strategy are identified, and recommen- 
dations are made for improvement in future versions. 
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AN ASSESSMENT OF THE 
DEPARTMENT OF DEFENSE STRATEGY 
FOR OPERATING IN CYBERSPACE 



INTRODUCTION 

Computer networks have become essential to the 
proper operation of the U.S. Government and mili- 
tary. According to then Secretary of Defense Robert 
Gates, the Department of Defense (DoD) operates 
"more than 15,000 local, regional, and wide-area net- 
works, and approximately seven million information 
technology (IT) devices."^ The increasing reliance on 
computer networks has created opportunities for for- 
eign nations, terrorists, "hacktivists," and criminals. 
Government networks are being constantly probed for 
vulnerabilities and have occasionally been compro- 
mised, resulting in the theft of considerable amounts 
of sensitive data. Several intrusions have been 
publicly disclosed, including: 

• Moonlight Maze involved 2 years of infil- 
trations starting in 1998 into the Pentagon, 
National Aeronautics and Space Administra- 
tion (NASA), Department of Energy (DoE), and 
affiliated labs. Tens of thousands of files, includ- 
ing military maps, U.S. troop configurations, 
military hardware designs, and naval codes 
were reportedly compromised. According to 
congressional testimony of James Adams, chief 
executive officer of Infrastructure Defense, 
Inc., the stolen information was "shipped 
over the Internet to Moscow for sale to the 
highest bidder."^ 

• Titan Rain was a series of intrusions starting in 
2003 into computer systems at Sandia National 
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Labs, NASA, Redstone Arsenal military base. 
World Bank, and various defense contractors. 
Military intelligence was stolen, including 
Army helicopter specifications, Falconview 
(flight planning software), and aerospace 
documents.^ 

• Intrusions into defense contractor information 
systems in 2007 and 2008 reportedly allowed 
an unidentified foreign country to exfiltrate 
successfully "several terabytes of data related 
to design and electronics systems" of the F-35 
Lightning II, an advanced fighter plane.'* 

• In March 2011, Deputy Defense Secretary Wil- 
liam Lynn admitted that "terabytes of data 
have been extracted by foreign intruders from 
corporate networks of (unnamed) defense 
companies."® The theft involved 24,000 files 
of data ranging from specifications for small 
parts on tanks, airplanes, and submarines to 
aircraft avionics, surveillance technologies, sat- 
ellite communications systems, and network 
security protocols. 

As cyberspace has become increasingly important, 
the U.S. Government has issued a number of publi- 
cations on national cybersecurity strategy leading up 
to the 2011 DoD Strategy for Operating in Cyberspace. 
Some themes have been repeated often, such as a 
need for public -private sector cooperation, reduction 
of vulnerabilities, more cyber security training, and 
international cooperation. A summary of these docu- 
ments is listed in the appendix. 
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An Evolution o£ Cyberspace Strategies. 

In February 2003, President George Bush issued 
the National Strategy to Secure Cyberspace.*^ It highlight- 
ed three strategic priorities; 

1. Prevent cyber attacks against America's critical 
infrastructure; 

2. Reduce national vulnerability to cyber attacks; 
and, 

3. Minimize damage and recovery time from cyber 
attacks, and identified five critical national priorities; 

a. Implement a national cyberspace security 
response system; 

b. Reduce cyberspace threats and vulner- 
abilities; 

c. Increase national cyber security awareness 
and training; 

d. Secure government cyberspace; 

e. Enhance national and international cyber- 
space cooperation. 

The primary aim of the strategy was to improve 
cyber security nationwide, not only government sys- 
tems but also critical infrastructures owned by the 
private sector. For each of the five national priorities, 
several major "actions and initiatives" were spelled 
out. Among these, several are noteworthy; 

• Encourage public-private partnerships for 
cyber incident response; 

• Improve public-private information sharing 
involving cyber attacks, threats, and vulner- 
abilities; 

• Prioritize federal research and development 
(R&D) in cyber security; 

• Foster training and education programs in 
cyber security; 
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• Strengthen cyber-related counterintelligence 
efforts; 

• Improve capabilities for attack attribution and 
response; 

• Establish international partnerships to protect 
information infrastructures; 

• Establish national and international watch- 
and-warning networks to detect and prevent 
cyber attacks. 

Most of the themes reappear in the 2011 DoD Strat- 
egyfor Operating in Cyberspace (e.g., national and inter- 
national cooperation, public-private partnerships and 
information sharing, reduction of vulnerabilities, and 
cyber security awareness). 

In 2004, the Joint Chiefs of Staff published the 
National Military Strategy of the United States of Ameri- 
ca/ It was an action plan for the Armed Forces to sup- 
port the National Security Strategy and National Defense 
Strategy. It emphasized three priorities: fighting ter- 
rorism; enhancing joint warfighting; and transforming 
the joint force to meet military objectives in the near 
and far terms. It notably included cyberspace as one 
of the domains of the battlespace along with air, land, 
sea, and space. 

Two years later, the Joint Chiefs of Staff published 
the National Military Strategy for Cyberspace Operations 
(NMS-CO) focused specifically on cyber security.® It 
aimed to characterize the cyberspace domain, iden- 
tify threats and vulnerabilities, and propose a strate- 
gic framework to assure U.S. military superiority in 
cyberspace. The NMS-CO appeared to significantly 
influence the 2011 DoD Strategy for Operating in Cyber- 
space, where the main themes reappeared. 
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The NMS-CO identified six enabling ways to main- 
tain superiority in cyberspace, including these three; 

1. Investment in science and technology; 

2. Partnerships with industry, government agen- 
cies, and other nations; and, 

3. Investment in a trained workforce. 

It also named four strategic priorities; 

1. Gain and maintain initiative to operate within 
adversarial decision cycles; 

2. Integrate cyberspace capabilities across the 
range of military operations; 

3. Build capacity for cyberspace operations; and, 

4. Manage risk for operations in cyberspace. 

Each strategic priority was accompanied by sev- 
eral specific initiatives. 

In August 2007, President Bush established the 
Commission on Cybersecurity for the 44th Presidency 
to examine the national cyber security strategy for 
areas for improvement. At its conclusion, the com- 
mission stated that cyberspace was an urgent national 
security problem and recommended 25 actions.® 

In the meantime. President Bush enacted the Com- 
prehensive National Cybersecurity Initiative (CNCI) 
aimed at improving the capabilities of the Department 
of Homeland Security (DHS) and other government 
agencies to protect against existing and future intru- 
sions.^® The CNCI was a number of interrelated ini- 
tiatives with three major goals aimed at improving 
cyber security; 

1. To establish a "front line of defense" against 
existing threats through shared situational aware- 
ness and prevent future intrusions by reducing 
vulnerabilities; 
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2. To defend against the full spectrum of threats 
through better counterintelligence and better security 
of the supply chain for key information technologies; 

3. To expand cyber education; coordinate R&D 
across the federal government; and develop strategies 
to deter malicious activities. 

In the CNCI, some common themes from earlier 
publications reappear: reduction of vulnerabilities, 
coordination among government agencies, public-pri- 
vate partnering, security of the supply chain, work- 
force training, and focused R&D. These themes will 
be repeated in the later DoD Strategy for Operating 
in Cyberspace, but a couple of concepts in the CNCI, 
namely deterrence and counterintelligence, were not 
repeated explicitly. Instead, the DoD Strategy address- 
es deterrence and counterintelligence more subtly. It 
hints at counterintelligence in describing the estab- 
lishment of U.S. Cyber Command (USCYBERCOM), 
co-located with the National Security Agency (NS A) 
under the same director. The notion of deterrence 
is also addressed subtly in the description of collec- 
tive security created by international cooperation; 
presumably, the strength of numbers will help deter 
future attacks. 

In May 2009, President Barack Obama announced 
the results of a broad review of the national cyber 
security strategy, including CNCI. The review recom- 
mended that a new cyber security coordinator update 
the national strategy. The U.S. Government Account- 
ability Office (GAO) also noted, among other rec- 
ommendations, the need for a national strategy that 
clearly articulated strategic objectives, goals, and pri- 
orities.” In the same year, DHS updated its National 
Infrastructure Protection Plan, which is a framework for 
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addressing threats to critical infrastructures relying 
on public-private partnerships.^^ 

In May 2011, the White House released the Inter- 
national Strategy for Cyberspace, aiming to promote a 
global cyberspace environment that is "open, interop- 
erable, secure, and reliable" based on "norms of 
responsible behavior."^^ The document is divided into 
three approaches for the future — diplomacy, defense, 
and development — and is supported by seven policy 
priorities. The strategy emphasized the need for inter- 
national cooperation and public-private partnerships, 
noting that "no single institution, document, arrange- 
ment, or instrument could suffice in addressing the 
needs of our networked world. 

Whereas the International Strategy for Cyberspace is 
diplomatic, highlighting the international and coop- 
erative aspects of a secure cyberspace, the DoD Strat- 
egy for Operating in Cyberspace may be considered a 
complementary strategy in some ways. While interna- 
tional cooperation is an important part of the strategy, 
the strategy is primarily interested in actions to ensure 
military superiority and protection of American assets. 

DoD Strategy for Operating in Cyberspace. 

In July 2011, Deputy Secretary of Defense Lynn 
announced the publication of a 13-page unclassified 
DoD Strategy for Operating in Cyberspace (the contents 
of a longer classified version has not been published) 
The official document was preceded by a September 
2010 article by Secretary Lynn. The conclusion in the 
article is an accurate summary of the DoD Strategy. 

These risks [in cyberspace] are what is driving the 

Pentagon to forge a new strategy for cybersecurity. 
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The principal elements of that strategy are to develop 
an organizational construct for training, equipping, 
and commanding cyberdefense forces; to employ 
layered protections with a strong core of active 
defenses; to use military capabilities to support other 
departments' efforts to secure the networks that run 
the United States' critical infrastructure; to build col- 
lective defenses with U.S. allies; and to invest in the 
rapid development of additional cyberdefense capa- 
bilities. The goal of this strategy is to make cyberspace 
safe so that its revolutionary innovations can enhance 
both the United States' national security and its 
economic security.^^ 

The DoD Strategy for Operating in Cyberspace 
outlines five strategic initiatives to address cyber secu- 
rity, which can be summarized as follows: 

1. Treat cyberspace as an operational domain 
(equivalent to air, land, maritime, and space); 

2. Employ new defense operating concepts to pro- 
tect DoD networks; 

3. Partner with other U.S. Government agencies 
and the private sector; 

4. Build relationships with international partners 
to strengthen collective security; and, 

5. Invest in cyber workforce training and R&D for 
rapid technological innovation. 

The accompanying news release described the 
strategy as "a new way forward for DoD's military, 
intelligence, and business operations. Clearly, the 
DoD Strategy is significant as an official recognition 
of the strategic importance of cyberspace to national 
security. However, while the strategy is consistent 
with Secretary Lynn's article, the document is brief 
and unspecific. It repeats several themes from earli- 
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er government publications but surprisingly omits a 
few important ones. In the remainder of this article, 
each strategic initiative in the DoD Strategy will be 
examined in depth for clarity, comprehensiveness, 
and novelty. The implications and practicality of each 
initiative will be discussed. In the final section, some 
critical observations of the DoD Strategy will be made. 

STRATEGIC INITIATIVE 1: DoD will treat cyber- 
space as an operational domain to organize, train, 
and equip so that DoD can take full advantage of 
cyberspace's potential. 

This strategy initiative is an official declaration 
that cyberspace will be treated as the fifth operational 
domain in addition to air, land, sea, and space. Essen- 
tially, DoD recognizes that military operations need to 
extend into man-made cyberspace because cyberspace 
has become integral to military operations in the other 
domains. In modern warfare, all domains are intercon- 
nected via cyberspace operations, and cyber attacks 
are expected to become a common part of future con- 
flicts. It naturally follows that DoD should build up 
capabilities to carry out actions in cyberspace. The 
strategy states "DoD will organize, train, and equip 
for the complex challenges and vast opportunities of 
cyberspace."^® 

Substantial changes have been made in organi- 
zation. DoD has established the USCYBERCOM as 
a sub-unified command of U.S. Strategic Command 
(USSTRATCOM) under the Secretary of Defense. 
USCYBERCOM is responsible for coordinating the 
relevant military branches, including U.S. Army 
Cyber Command, U.S. Fleet Cyber Command/ U.S. 
10th Fleet, the 24th Air Force, U.S. Marine Corps Forc- 
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es Cyber Command, and U.S. Coast Guard Cyber 
Command. It is deliberately co-located with the NSA 
under the same director. This organization is intend- 
ed to maximize resources and efficiency, and directly 
link cyber operations with intelligence. 

The DoD Strategy expresses concern that degraded 
cyberspace operations may interfere with the success 
of missions. To learn to operate in a possibly hostile 
cyberspace environment, cyber red teams will conduct 
war games, e.g.. Cyber Storm. In addition, defensive 
capabilities will be strengthened by investment in 
more resilient and secure computer networks. 

Significance and Novelty. 

In summary, this strategy initiative makes three 
points: DoD must be able to operate equally in cyber- 
space as in other domains; missions must succeed 
despite adversity in cyberspace; and cyberspace 
must be strengthened against threats. This initia- 
tive is a message to other government agencies, as 
well as to foreign countries, about the seriousness of 
cyber operations (and possibly military responses to 
cyber attacks). 

As a formal statement that cyberspace will be an 
integral part of future warfare, this is not surpris- 
ing. It recognizes the reality that most people have 
already accepted. The importance of military opera- 
tions in cyberspace has become increasingly clear in 
recent years. In 2004, the Joint Chiefs of Staff issued 
the National Military Strategy of the United States of 
Americas^ It implied cyberspace was an operational 
domain by saying the military "must have the ability 
to operate across the air, land, sea, space, and cyber- 
space domains of the battlespace." In November 2006, 
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Secretary of the Air Force Michael W. Wynne deliv- 
ered an address describing cyberspace as a warfight- 
ing domain equal to air and space; "(defend) the Unit- 
ed States of America and its global interests — to fly 
and fight in air, space and cyberspace."^^ In this view, 
cyberspace superiority is simply an extension of air 
and space supremacy. 

Since cyber operations are widely expected to 
become a critical part of military conflicts, it is logi- 
cal for DoD to strive for freedom to act in cyberspace 
beyond civilian limitations. However, this "milita- 
rization of cyberspace" raises a few issues that are 
not addressed specifically in the DoD Strategy. First, 
what are the boundaries of cyberspace considered to 
be within military jurisdiction? Most critical network 
infrastructures are owned and operated by the private 
sector. Second, how will cyber attacks warranting a 
military response differentiate from other malicious 
acts such as cybercrime? For instance, spear phishing 
(social engineering) to install malware may be a tactic 
used in both cybercrime and military cyber espionage. 
Third, could cyber attacks escalate unnecessarily into 
physical warfare? It seems possible that DoD might 
classify a major cyber attack against critical infrastruc- 
ture as an act of war that could trigger a conventional 
military response. A Pentagon official stated, "If you 
shut down our power grid, maybe we will put a mis- 
sile down one of your smokestacks."^^ Clearly, rules 
need to be developed to guide appropriate responses 
to cyber attacks. So far, the United States has chosen 
not to impose any self-restrictions. Deputy Defense 
Secretary Lynn stated: 



11 



The United States reserves the right, under the laws 
of armed conflict, to respond to serious cyber attacks 
with a proportional and justified military response at 
the time and place of its choosingS^ 

Practicality. 

In terms of organization, the GAO has found that 
progress has been made, notably the establishment 
of the USCYBERCOM and supporting organizations 
in June 2009, but more work is needed. It observed 
that the DoD's organization to address cyber security 
is vast and decentralized, with responsibilities spread 
across various offices. The recent organizational 
changes are believed to be steps in the right direction, 
since the command will theoretically provide a "sin- 
gle point of accountability" but "it is too early to tell 
if these ongoing organizational changes will improve 
DoD's overall cyber efforts" to counter threats. 

The GAO also observed a lack of clarity about the 
role of civilians in conducting cyber war operations 
and the "mission requirements and capabilities to 
organize, train, and equip a cyber force."^*’ Another 
concern was a lack of direction from USCYBERCOM 
about the command and control relationships between 
the command and regional military commanders. 

In terms of investment in more resilient and secure 
computer networks, the DoD Strategy is not specific 
about how investment will be carried out. Research- 
ers in resilient networks have investigated advanced 
technologies such as self-healing and intrusion toler- 
ance for many years. Resilience was one of the origi- 
nal main design goals for the Internet.^^ Self-healing 
is a more advanced capability that enables networks 
to automatically detect faults and reroute connections 
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around them with minimal interruption.^® Likewise, 
intrusion tolerance is an advanced technology that 
aims to keep critical systems functioning properly 
even in the face of successful intrusions.^® 

These advanced technologies underlying resilient 
and robust computer networks are fairly well under- 
stood, though not perfect, particularly for large-scale 
complex networks. Considering that DoD operates 
15,000 networks involving more than seven mil- 
lion devices, it would be enormously challenging to 
implement successfully advanced technologies such 
as self-healing and intrusion tolerance on that scale. 
Implementation would require thorough changes 
in equipment, software, and protocols. The cost for 
implementation is unknown, and the required funds 
are not guaranteed in the budget. DoD has requested 
$37 billion for information technology in Fiscal Year 
(FY) 2013, but it encompasses a range of IT invest- 
ments.®® The budget includes $3.4 billion for cyber 
security efforts to protect information, information 
systems, and networks. 

STRATEGIC INITIATIVE 2: DoD will employ new 
defense operating concepts to protect DoD net- 
works and systems. 

Although the strategic initiative is obviously broad 
and vague, the DoD Strategy identifies four specific 
actions: 

1. Implement cyber hygiene best practices; 

2. Address insider threats by strengthening work- 
force communications, workforce accountability, and 
internal monitoring; 

3. Implement active cyber defenses against exter- 
nal threats; and. 
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4. Develop new defense operating concepts 
and computing architectures such as secure cloud 
computing. 

The initiative presumes that good hygiene (e.g., 
updating and patching software, running antivi- 
rus software, avoiding untrusted email attachments 
and untrusted websites) can prevent most malicious 
acts. While certainly helpful, safe practices will not 
protect users against advanced attacks that often 
make use of sophisticated social engineering and 
zero-day exploits. 

It is notoriously difficult to defend against insider 
threats. The strategy will depend on: 

communication, personnel training, and new tech- 
nologies and processes . . . new policies, new meth- 
ods of personnel training, and innovative workforce 
communications.^^ 

The DoD Strategy makes a point to contrast "active" 
defense with traditional "passive" defense. By active 
defense, the DoD Strategy means that the network will 
be monitored in real time to "discover, detect, analyze, 
and mitigate threats and vulnerabilities,"^^ or, in other 
words, real-time intrusion detection and prevention. 
This capability aims to "stop malicious activity before 
it can affect DoD networks and systems."^^ 

Significance and Novelty. 

Generally, this strategic initiative has good ideas 
consistent with common sense, but the ideas are con- 
ventional and unoriginal. For example, cyber security 
best practices are a good idea, but best practices alone 
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will not prevent intrusions, and the strategic initiative 
does not offer additional ideas beyond best practices. 
Also, insider threats can be ameliorated by address- 
ing the human element in the workplace, but it is 
not clear how effectively the stated actions can deter 
insider attacks. 

Perhaps the most interesting statement is emphasis 
on active defenses that detect and prevent intrusions 
in real time. This statement could be interpreted as an 
implicit message aimed at foreign adversaries, say- 
ing that real-time retaliation is possible. This message 
might help deter future attacks; the notion of deter- 
rence is elaborated in more detail later. 

Much of this strategic initiative is too broad and 
vague to criticize. For example, the meaning of state- 
ments like "DoD will explore new and innovative 
approaches and paradigms for both existing and 
emerging challenges''^^ is impossible to evaluate 
because it depends on unknowns in the future. 

Practicality. 

The most challenging action in this strategic ini- 
tiative is active defense. Research in intrusion detec- 
tion has been conducted for decades, and real-time 
detection is still an open question due to the continual 
inventiveness of resourceful adversaries. The stra- 
tegic initiative does not explain how active defenses 
will be carried out or who will provide the technolo- 
gy. In general, intrusion detection can be performed 
by misuse detection (signature-based) or anomaly 
detection (behavior-based).^^ Misuse detection works 
for known attacks but may miss new attacks without 
an existing signature. On the other hand, anomaly 
detection may be able to detect unknown new attacks 
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that deviate statistically from "normal" behaviors, 
but this approach continues to be very difficult to 
perfect in practice. Existing intrusion detection sys- 
tems can monitor computer networks in real time, 
but the accuracy of detection (and hence prevention) 
remains uncertain. 

It is not clear how new computing architectures 
such as cloud computing can improve DoD security. 
Cloud computing offers organizations benefits like 
lower start-up costs and capital expenditures, servic- 
es on a pay-as-you-use basis, and flexibility to quick- 
ly reduce or increase capacities. However, cloud com- 
puting introduces new security risks related to data 
ownership, privacy, data mobility, quality of service, 
bandwidth, and data protection. 

STRATEGIC INITIATIVE 3: DoD will partner with 
other U.S. government departments and agencies 
and the private sector to enable a whole-of-govern- 
ment cyber security strategy. 

This strategic initiative recognizes that; 

DoD's critical functions and operations rely on com- 
mercial assets, including Internet Service Providers 
(ISPs) and global supply chains, over which DoD has 
no direct authority to mitigate risk effectively.^^ 

Therefore, a broad level of cooperation with other 
government departments and private companies is 
clearly necessary. 

Among other government departments, the strate- 
gic initiative emphasizes DHS in particular. A notable 
example of cooperation was a 2010 memorandum of 
agreement with DHS to coordinate efforts to protect 
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critical infrastructures and computer networks.^® The 
agreement called for DoD and DHS cyber analysts to 
jointly support the National Cybersecurity and Com- 
munications Integration Center (NCCIC). The agree- 
ment also provides a full-time senior DHS leader and 
support personnel to NS A to "ensure both agencies' 
priorities and requests for support are clearly commu- 
nicated and met."®® 

The strategic initiative also calls for public-private 
partnerships because the global technology supply 
chain affects mission critical aspects of the DoD enter- 
prise, along with core U.S. Government and private 
sector functions.'^’ 

The partnerships will aim to "share ideas, develop 
new capabilities, and support collective efforts. The 
public and private sectors will not automatically work 
together because of different interests. In recognition 
of this difficulty, the strategy describes an existing 
public-private partnership with the Defense Indus- 
trial Base (DIB) to increase the protection of sensitive 
information. DIB networks are protected under the 
Defense Industrial Base Cyber Security and Informa- 
tion Assurance program. The strategy wants addi- 
tional pilot programs, business models, and policy 
frameworks to foster public-private synergy. Public- 
private partnerships will require a balance between 
regulation and volunteerism . . . incentives or other 
measures will be necessary to promote private sector 
participation.^® 
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Significance and Novelty. 

The current division of government responsibili- 
ties for protecting cyberspace is less than ideal. Broad- 
ly speaking, the DoD is responsible for defending the 
military networks (nominally against cyber warfare), 
while DHS is responsible for defending civilian gov- 
ernment networks (against cybercrime). DHS also 
helps critical infrastructure owners with cyber securi- 
ty. At the same time, the arguably best defense capa- 
bilities reside in the DoD. It is not clear which gov- 
ernment agency has the lead for cyber security, which 
would respond to a given cyber attack, and how DoD 
could help in the defense of civilian networks. Ideally, 
government agencies would work together seamless- 
ly, but the 2009 Cyberspace Policy Review noted a lack 
of coherent policy guidance clarifying "authorities, 
roles, and responsibilities for cyber security-related 
activities across the Federal government" due to an 
incoherent "patchwork of Constitutional, domestic, 
foreign, and international laws."^^ 

Public-private cooperation has been a recurrent 
theme in government publications on cyber security. 
The need for public-private partnerships was recog- 
nized in the 2003 National Strategy to Secure Cyberspace, 
which viewed public-private partnerships as useful 
for cyber incident response and security information 
sharing. It was repeated in the 2006 National Military 
Strategy for Cyberspace Operations and the DHS 2009 
National Infrastructure Protection Plan. Considering 
that the private sector owns most critical infrastruc- 
tures, the need for effective public-private partner- 
ships is obvious. The question for the DoD Strategy is 
how to facilitate and incentivize cooperation. The DoD 
Strategy appears to recognize this challenge but does 
not offer specific plans. 
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Practicality. 

Significant progress has been made in increasing 
cooperation between agencies. A few agencies — Air 
Force, DHS, NSA, and Federal Bureau of Investiga- 
tion (FBI) — have claimed authority in cyberspace. 
The 24th Air Force is now the Service's component of 
the USCYBERCOM. As mentioned earlier, DFIS and 
DoD have signed a memorandum of agreement. NSA 
is closely linked to USCYBERCOM under the same 
director. The EBI investigates cyber intrusions at U.S. 
companies but suffers from a shortage of necessary 
skills and support.^'^ 

The DHS-DoD memorandum of agreement is a 
good example of the DoD Strategy's whole-of-govern- 
ment approach. Whereas DoD is normally limited to 
defending military computer networks, the memoran- 
dum of agreement allows DoD's cyber warfare exper- 
tise to be leveraged to help DHS protect domestic 
networks and critical infrastructure. To fully realize 
the strategy's whole-of-government approach, more 
similar agreements will be needed that spell out how 
agencies can cooperate while clearly maintaining their 
separate missions.^^ 

The DoD Strategy is vague about specific means 
of public-private cooperation, but an obvious exam- 
ple is information sharing about vulnerabilities and 
threats. The DoD Strategy points out an example of 
the DIB pilot. It involves DoD, DHS, and 20 compa- 
nies, including ISPs and defense contractors. Threat 
signature information is shared by USCYBERCOM 
and NSA with the participating companies. In addi- 
tion, there are various pending legislations to increase 
information sharing between private companies and 
the government. 
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An amended version of the Cyber Intelligence 
Sharing and Protection Act (CISPA) bill passed the 
House of Representatives in April 2012. It contains 
provisions for private companies to "use cyber secu- 
rity systems to identify and obtain cyber threat infor- 
mation," share this information with the government, 
and be protected from lawsuits for these actions.'^® Civ- 
il liberty groups have expressed concerns that vague 
wording in the bill might allow companies to collect 
unlimited private information about Internet users 
under the pretext of suspicious activities. 

The Strengthening and Enhancing Cybersecurity 
by Using Research, Education, Information, and Tech- 
nology Act of 2012 (the SECURE IT Act) was intro- 
duced into the Senate in March 2012. Similar to CISPA, 
the SECURE IT Act is aimed at facilitating information 
sharing in regard to cyber threats. The SECURE IT Act 
has likewise been criticized for insufficient protection 
of existing privacy rights. 

A revised version of the Cybersecurity Act of 2012 
(CSA) failed to pass the Senate in August 2012. Title 
I called for a public-private consortium to develop a 
set of voluntary cyber security practices for protecting 
critical national infrastructure. However, existing gov- 
ernmental regulators with authority over any critical 
national infrastructure could require regulated com- 
panies to comply with the "voluntary" cyber security 
practices. Businesses have expressed concerns about 
the potential costs for compliance. Title VII was simi- 
lar in intention to the CISPA and SECURE IT Act bills 
to encourage network monitoring and information 
sharing by private companies, with legal protection 
provided to companies. Cyber threat information 
could be shared with law enforcement through civil- 
ian "cyber security exchanges" only where the infor- 
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mation pertains to a cybercrime, imminent threat 
of bodily harm or serious injury, or serious threat 
to minors. DHS would develop privacy policies for 
how shared information would be used by the gov- 
ernment. After the failure of CSA to pass the Senate, 
some senators pressured the White House to issue an 
executive order for voluntary cyber security guide- 
lines for owners of power, water, and other critical 
infrastructure facilities. 

Public-private cooperation is not easy due to con- 
flicting interests. The GAO has noted efforts to devel- 
op new information sharing arrangements between 
the private sector and the government.'^^ However, 
"expectations of private sector stakeholders are not 
being met by their federal partners in areas related to 
sharing information about cyber-based threats. His- 
torically, industry has tended to resist new regulations 
for reasons of cost. In regard to cyber security practic- 
es, companies have argued that they know their net- 
works better and can adapt faster to new threats than 
government regulators. Consequently, the govern- 
ment is currently focused on voluntary actions, but it 
recognizes that incentives will be necessary. For com- 
panies, information sharing is a complicated econom- 
ic question with advantages balanced by drawbacks.^® 

STRATEGIC INITIATIVE 4: DoD will build robust 
relationships with U.S. allies and international 
partners to strengthen collective cyber security. 

This strategic initiative is aimed primarily at other 
nations to foster cooperation for "collective self-de- 
fense and collective deterrence" through timely 
sharing of information about "cyber events, threat 
signatures of malicious code, and information about 
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emerging actors and threats."®” Other shared activities 
include capacity building, training, dialogue about 
best practices, and pursuit of "international cyber- 
space norms and principles that promote openness, 
interoperability, security, and reliability."®^ 

Significance and Novelty. 

This strategic initiative emphasizes the advantages 
of collective self-defense to appeal not only to close 
allies but also to "a wider pool of allied and partner 
militaries" and "like-minded states."®^ The advan- 
tages of international cooperation for cyber securi- 
ty are obvious, and the notion has been repeated in 
government publications leading back to at least the 
2003 National Strategy to Secure Cyberspace. The notion 
of collective self-defense in warfare (not just in cyber- 
space) goes even further back to the North Atlantic 
Treaty Organization (NATO) established in 1949. 

Interestingly, the Article 5 "mutual defense" clause 
of NATO has already been tested by cyber attacks. In 
April 2007, the Estonian government had decided to 
move the Bronze Soldier of Tallinn, triggering Russian 
protests. Multiple waves of distributed denial of ser- 
vice (DDoS) attacks hit the websites of the Estonian 
parliament, banks, ministries, newspapers,and media. 
The Estonian Eoreign Minister promptly accused 
the Kremlin of responsibility, raising the question of 
whether NATO member countries would respond col- 
lectively to the DDoS attacks. Experts sent to Estonia 
concluded that the DDoS attacks were not sufficiently 
serious for Article 5 but highlighted the need for clear 
legal definitions on cyber attacks that would qualify 
for Article 5 mutual defense. 
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It is not clear that the NATO model of collective 
self-defense, reflecting a simplistic "us versus them" 
mindset reminiscent of the Cold War, is appropriate 
for a more complicated modern world. Today, major 
nations cooperate on many levels while still competing 
in cyberspace. For example, China is heavily invested 
in U.S. assets, and the Chinese economy depends crit- 
ically on trade with the United States. However, at the 
same time, China is reportedly fully engaged in cyber 
espionage activities. 

In addition to collective self-defense, the strategic 
initiative states that international cooperation raises 
the question of deterrence. By conventional wisdom, 
strength in numbers could be an effective deterrent to 
future cyber attacks. The notion of deterrence has not 
been a major theme in previous government publica- 
tions, except the 2010 Comprehensive National Cyberse- 
curity Initiative mentioned deterrence as part of one of 
its major goals. However, it is questionable whether 
deterrence is possible in cyber warfare in the same 
way that nuclear deterrence worked by fear of "mutu- 
ally assured destruction."^^ 

Practicality. 

This strategic initiative raises two questions of 
practicality: can the United States forge treaties for 
effective international cooperation, and can collective 
deterrence work in cyber security? New internation- 
al treaties to cooperate in cyberspace would have to 
overcome considerable obstacles; (1) competing inter- 
ests, (2) different attitudes toward cyber warfare, (3) 
different definitions of malicious cyber acts (e.g., start- 
ing with "cyber warfare"), and (4) difficult enforcea- 
bility (e.g., of terms limiting proliferation of cyber 
weapons). 
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The Council of Europe Convention on Cyber- 
crime might give hope for international cooperation 
on cyber warfare. Ratified in July 2004, it is the only 
binding international treaty on cybercrime.^^ Though 
it remains mostly limited to Europe, it is open to 
non-European states and has been signed by the Unit- 
ed States. It provides guidelines for all governments 
wishing to develop legislation against cybercrime. It 
also provides a framework for international cooper- 
ation. However, while all nations have an interest in 
controlling cybercrime, different nations have com- 
peting interests in cyber warfare. 

In 1998, Russia proposed a treaty banning cyber 
attacks for military purposes, but the United States has 
been reluctant to consider any limitations on its free- 
dom to act in cyberspace. In July 2010, the United States 
shifted its position to join a group of other nations, 
including China and Russia, on United Nations (UN) 
recommendations to create norms of accepted behav- 
ior in cyberspace, exchange information on national 
cyber security strategies, and strengthen cyber secu- 
rity in less developed countries. 

In September 2011, Russia and several allies, 
including China, proposed the International Code 
of Conduct for Information Security to the UN to 
standardize a code of responsible behavior in cyber- 
space. The United States opposed the proposal on 
the grounds that it sought to shift governance of the 
Internet (which is currently done by various U.S.- 
based nongovernmental international organizations) 
to authoritarian regimes that might attempt to curb 
the open culture of the Internet. Russia is continuing 
efforts for a global treaty on cyber security but, so far, 
the proposals appear unlikely to be successful due to 
opposition from Western countries. There is no reason 



24 



for the United States to enter agreements that hinder 
its freedom to act in cyberspace. 

Whereas a global treaty on behaviour norms 
appears to be unlikely, strategic treaties with allies and 
"like-minded states" are more feasible and advanta- 
geous, following a NATO model, for instance. Benefits, 
including shared threat intelligence and early attack 
warning, are easy to imagine. On the other hand, the 
DoD Strategy mentions the benefit of "collective deter- 
rence," which is more questionable. Presumably, it 
refers to the notion that adversaries would refrain 
from attacking due to the "strength in numbers" of 
a U.S. alliance. Following the logic of nuclear deter- 
rence, an adversary should believe that a U.S. alliance 
possesses the capability for retaliation and destruction 
on a scale that the adversary cannot accept.^*’ 

Unfortunately, the cyber environment is com- 
pletely different from the nuclear environment, where 
nuclear weapons can be traced and counted. In order 
to be effective, cyber deterrence must overcome a few 
practical obstacles.^^ The first and most obvious prob- 
lem is attribution — identification of the real source of 
a cyber attack. Cyber attacks can be anonymized in 
many ways (e.g., by using proxies or stolen computer 
accounts). The Internet is not well equipped to trace- 
back packets and, in the best case, might identify an 
Internet protocol (IP) address. For malware attacks, 
the creator is very difficult to discover from code 
disassembly. 

The second practical problem, if attribution can 
be solved, is credible capacity for destructive retalia- 
tion. Few doubt the offensive capability of the United 
States, but it has not been demonstrated yet. In cyber 
warfare, there is no real reason to reveal "cyber weap- 
ons" unnecessarily. There is concern that revelations 
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of U.S. full offensive capability could trigger a global 
cyber arms race. Also, a software cyber weapon could 
be reverse engineered by an unfriendly country. 

A third problem is demonstrated willingness to 
retaliate with destructive force. The United States has 
not issued specific conditions for retaliation but has 
left all options open. The 2011 International Strategy for 
Cyberspace declared: 

When warranted, the United States will respond to 

hostile acts in cyberspace as we would to any other 

threat to our country.®® 

Furthermore, the United States will reserve the 
right to use all necessary means — diplomatic, infor- 
mational, military, and economic — as appropriate and 
consistent with applicable international law, in order 
to defend our Nation, our allies, our partners, and our 
interests.^® 

STRATEGIC INITIATIVE 5: DoD will leverage the 
nation's ingenuity through an exceptional cyber 
workforce and rapid technological 
innovation. 

This strategic initiative aims to maintain U.S. 
superiority through investment in its people, technol- 
ogy, and R&D to create and sustain the cyberspace 
capabilities.^ 

The first part of the strategy consists of improve- 
ments made to personnel recruiting and hiring. Spe- 
cific ideas include: 

• Streamlining hiring practices; 

• Exchange programs to allow for "no penalty" 
cross-flow of cyber professionals between the 
public and private sectors; 
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• Cross-generational mentoring programs; 

• Development of Reserve and National Guard 
cyber capabilities; and, 

• Exchanges and continuing education programs. 

The second part of the strategy addresses invest- 
ment in technology, rather than people, by revising 
processes for acquisition of information technology. 
The new process will adopt five principles; 

1. Reducing DoD's acquisition processes and regu- 
lations to cycles of 12 to 36 months; 

2. Incremental development and testing instead of 
a single deployment of large, complex systems; 

3. Sacrificing some customization to speed up 
incremental improvements; 

4. Adopting differing levels of oversight based on 
DoD's prioritization of critical systems; and, 

5. Improving security measures for all pur- 
chased software and hardware, using an in-depth 
security approach. 

The strategic initiative points to the National 
Cyber Range as a means to "test and evaluate new 
cyberspace concepts, policies, and technologies."® In 
addition, companies will be incentivized through "ini- 
tiatives such as Small Business Innovation Research, 
creative joint ventures, and targeted investments."'"^ 
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Significance and Novelty. 

For the most part, this strategic initiative does not 
say much new. The need for a well-trained workforce 
is an obvious theme repeated in previous government 
publications. Hopefully, DoD has already started to 
build up its cyber workforce. The need for technology 
innovation is also obvious, considering the rapid rate 
of progress in information technologies. The last point 
about incentivizing companies somewhat repeats 
Strategic Initiative 3. 

It might be argued that this strategic initiative is 
already ongoing. Its general purpose is not to pro- 
pose revolutionary actions but to declare a message to 
mainly two audiences; the private sector and foreign 
adversaries. To the private sector, the strategy conveys 
an intention to acquire new defense technologies and 
hire cyber professionals. To foreign adversaries, the 
message is DoD's intention to achieve and maintain 
superiority in cyberspace. 

The strategy is incomplete in addressing R&D. 
While the strategic initiative aims for "technologi- 
cal innovation," it gives much more attention to the 
DoD acquisition process than to investment in R&D. 
It is not clear how innovations will be stimulated. For 
example, nothing is mentioned about investment in 
universities or scientific labs for basic research, or how 
basic research will be translated into new products to 
acquire. It seems to be implicitly assumed that small 
businesses will automatically innovate. 
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Practicality. 

The actions in this strategic initiative are straight- 
forward and hopefully already on their way to imple- 
mentation. Unfortunately, this strategic initiative 
appears to depend highly on defense funding. 

An agile acquisition process is being implemented 
by the Defense Advanced Research Projects Agency 
(DARPA). An example is the Cyber Fast Track pro- 
gram that strives to fund small research projects with 
rapid approval (perhaps less than a week).® The 
research projects are carried out by individuals or 
small groups for a few months. Hopefully, the short 
timescales will lead to better adaptiveness to quickly 
changing security threats. 

CRITICAL OBSERVATIONS 

After reading and evaluating each strategic initia- 
tive, some general observations about the unclassified 
version of the DoD Strategy for Operating in Cyberspace 
can be made. 

• The strategy focuses mostly on technology, 
resources, and cooperation. Human resources 
are addressed only in part of the last initiative. 

• The strategy emphasizes defense and preven- 
tion. The classified version of the strategy obvi- 
ously includes more points (e.g., presumably 
offensive capabilities). 

• The strategic initiatives mostly repeat themes 
that have appeared in previous government 
publications. The ideas are uncontrover- 
sial and sensible, but no surprising ideas are 
really offered. 
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• Some of the actions are already in progress, 
such as treating cyberspace as an operational 
domain; active defense; public -private coop- 
eration; cyber workforce recruiting; and rapid 
technology acquisition. In this sense, the DoD 
Strategy is mostly an affirmation of current 
directions. 

• The strategy does not offer solutions to several 
practical challenges, such as how to implement 
advanced technologies for network resilience 
and robustness into DoD's computer networks; 
how to accurately detect intrusions in real 
time; how to properly incentivize private sec- 
tor information sharing; and how to effectively 
deter cyber attacks. 

• The strategy does not distinguish between dif- 
ferent types of adversaries— nation-states, for- 
eign intelligence, hacktivists, criminals, hack- 
ers, terrorists— nor does the strategy address 
initiatives for specific types of adversaries. 

• The unclassified version of the strategy neglects 
to address important issues; offense; attribu- 
tion; rules for proper response to cyber attacks; 
and metrics of progress toward implementa- 
tion. These issues are discussed here. 

Offense. 

The unclassified DoD Strategy for Operating in Cyber- 
space is primarily concerned with defensive protection 
of the information infrastructure. However, it is obvi- 
ous that the United States, like all modern nations, 
would be foolish not to build up offensive as well as 
defensive capabilities. The 2004 National Military Strat- 
egy of the United States of America stated plainly that 
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cyber capabilities, "both offensive and defensive, are 
key to ensuring U.S. freedom of action across the bat- 
tlespace."'^^ Also, the Air Force has said "cyberspace 
operations seek to ensure freedom of action across 
all domains for U.S. forces and allies, and deny that 
same freedom to adversaries," implying the capability 
for offense.^^ 

It has been reported that the United States and 
Israel were responsible for developing the Stuxnet 
malware aimed at sabotaging the Natanz uranium 
enrichment plant in Iran.^^ Stuxnet spread through 
the internal computer network in search of program- 
mable logic controllers controlling gas centrifuges 
and reportedly spun the centrifuges at rates outside 
of their normal operating range, causing perhaps a 
thousand centrifuges to fail. If true, Stuxnet would 
qualify as the first "cyber weapon" launched by 
one nation to damage another's physical infrastruc- 
ture. Shortly after Stuxnet was discovered, it was 
suspected of belonging to a growing arsenal of U.S. 
cyber weapons.*’^ 

A strategy for building offensive capability has 
not been stated, most likely because of concern about 
stimulating a global cyber arms race. If an offensive 
strategy will be developed, it should include clear 
guidelines for how and when offensive actions can be 
carried out against another nation. 

Attribution. 

The DoD Strategy does not specifically address the 
problem of attribution. As mentioned earlier, attribu- 
tion is an enormous challenge, and the plausible deni- 
ability afforded by anonymity is a great contributing 
factor to cyber attacks. Adversaries are encouraged 



31 



by the fact that the real source of attacks can be eas- 
ily hidden. Even if an adversary is suspected, there is 
typically no hard evidence proving the perpetrator of 
an attack. 

Technically, the real source is easy to hide because 
the Internet was not designed to validate source IP 
addresses, traceback packets, or record details of 
packets along their routes (due to the vast volumes of 
traffic). Even if packets could be traced back to an IP 
address, adversaries could confuse trace back by using 
anonymizing proxies or hijacked accounts as interme- 
diaries. Moreover, many attacks are carried out by 
malware, and the creator of malware is very difficult 
to discover from disassembling the malware code. In 
addition, the lack of international laws hinders trace- 
back when packets cross national boundaries. 

Rules for Proper Response to Cyber Attacks. 

Given capabilities for offense and attribution, 
retaliation for cyber attacks is possible. Retaliation 
might consist of a physical response, which is implied 
by the declaration of cyberspace to be an operational 
domain, risking the possibility of a cyber attack esca- 
lating into a conventional war. However, the unclas- 
sified DoD Strategy for Operating in Cyberspace is silent 
on guidelines for proper response, i.e., what is the 
threshold for military response, and what qualifies as 
"use of force"? Guidelines must take into account the 
difficulty of attribution and assessment of damages in 
the cyber domain. 

It has been reported that President Obama signed 
executive orders in June 2011 describing rules of 
engagement for U.S. military commanders in carrying 
out cyber attacks and other computer-based opera- 
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tions against other countries. The orders supposedly 
provide guidance on when presidential approval 
is needed to initiate attacks and on conditions when 
the military can respond to an intrusion by active 
retaliation. 

A strategy should address two issues. First, when 
does a cyber attack justify a military response? DoD 
reportedly has been considering an idea of "equiva- 
lence." For example, a conventional response could be 
warranted if a cyber attack results in the same level 
of death or physical damage that a conventional mili- 
tary attack would cause. A traditional legal test is the 
"Caroline Test," where potential forcible actions taken 
by states for self-defense may be considered to be law- 
ful only if they are subject to the three conditions of 
immediacy, necessity, and proportionality.*’® The first 
two conditions mean that the threat is imminent, and 
peaceful alternatives are not an option. These condi- 
tions would probably be easy to meet in the event of 
a major cyber attack. The third condition means that 
the response should be proportional to the threat. This 
condition may be the most challenging to meet due to 
the interconnected nature of computer networks. 

Michael Schmitt has proposed a more elaborate 
framework, considering the intensity of damage in 
each of seven areas (severity, immediacy, directness, 
invasiveness, measurability, presumptive legitimacy, 
and responsibility) to assess the composite effects of a 
cyber attack.® 

The second question that should be addressed is. 
What is an appropriate response? Traditional wars 
are guided by the Laws of Armed Conflict (LOAC) 
derived from a series of international treaties, such as 
the Geneva conventions, as well as traditional prac- 
tices that the United States and other nations consider 
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customary international law. Obviously cyber warfare 
is not covered by existing treaties, but the question is 
whether the principles of LO AC — military necessity, 
distinction, and proportionality — should be applicable 
to cyber warfare. Military necessity refers to restric- 
tions on combat actions to only those necessary to 
accomplish a legitimate military objective. Distinction 
refers to restriction of combat targets to valid military 
targets (versus noncombatant targets such as civilians, 
civilian property, and prisoners of war). Proportion- 
ality is a restriction on excessive use of force beyond 
that needed to accomplish the military objective. 

Metrics of Progress. 

For a long time, the field of security has lacked a 
mathematical science to answer two fundamentally 
important questions; How far has the DoD Strategy 
been implemented, and how secure are U.S. assets? 
Today, it is difficult to quantify the security of a com- 
puter system. Therefore, it is hard to have confidence 
or trust in a protected system. In current practice, 
security is assessed experimentally by the number of 
vulnerabilities found or the results of penetration test- 
ing (or red teaming). 

The closest thing to science in security may be risk 
management. The mathematics behind risk manage- 
ment may give the appearance of precision, but input 
parameters such as likelihood of attacks are notori- 
ously difficult to estimate. As a result, the calculations 
of risk are essentially best guesses. There is no way 
to verify calculated risks; even the precision of calcu- 
lated risks is hard to quantify. 

The DoD Strategy does not address the need for 
cyber security metrics that are currently missing. It 
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may be possible to measure actions taken in each of 
the strategic initiatives, but in the end, little could be 
proven about the strength of cyber security of U.S. 
assets without appropriate metrics. 

CONCLUSIONS AND RECOMMENDATIONS 

DoD faces a rapidly changing environment of 
cyber threats. Fortunately, DoD is one of the best pre- 
pared organizations in the world. As noted earlier, it 
has undertaken many actions to fortify its capabilities 
(such as establishment of the USCYBERCOM) and 
defensive position to protect the nation's military net- 
works and critical infrastructures. 

With the DoD Strategy for Operating in Cyberspace, 
important messages have been conveyed to the Amer- 
ican public, other government agencies, the private 
sector, and other nations. The most important mes- 
sage is that the DoD is serious about taking further 
actions to maintain superiority in cyberspace. Another 
message is recognition that neither the DoD (nor any 
single agency) can protect all of cyberspace by itself, 
and the DoD is appealing for cooperation from the 
private sector and like-minded nations. 

The ultimate question is whether the strategy is 
adequate to maintain DoD superiority in the face of 
existing and future cyber threats. The GAO describes 
a complete national cyber strategy as one that; 

• Includes well-defined strategic objectives; 

• Provides understandable goals for the govern- 
ment and the private sector; 

• Articulates cyber priorities among the 
objectives; 

• Provides a futuristic vision of what secure 
cyberspace should be; 
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• Seeks to integrate federal government 
capabilities; 

• Establishes metrics to gauge progress against 
the strategy; and, 

• Provides enforcement and accountability in the 
event of progress shortfalls/^ 

The DoD Strategy for Operating in Cyberspace falls 
short in this list. For example, it is not clear about priori- 
ties, futuristic vision, progress metrics, or enforcement 
and accountability. Some of these inadequacies were 
already mentioned in an earlier section. It is important 
to recognize that the DoD Strategy will undoubtedly 
be revised; strategies must continually evolve to adapt 
to the changing threat landscape. After reading and 
evaluating each strategic initiative in the current DoD 
Strategy, recommendations for future versions of the 
strategy include: 

• Expansion of detailed plans of actions to take 
for each strategic initiative; 

• Explanations of how to find solutions to practi- 
cal challenges (e.g., how to implement advanced 
technologies for network resilience and robust- 
ness on a large scale, how to accurately detect 
and prevent intrusions in real time, how to 
determine effective incentives for private sec- 
tor information sharing); 

• Elaboration on specific strategies to address 
different types of adversaries who have differ- 
ent capabilities, skills, and goals; 

• Elaboration on specific mechanisms to stimu- 
late technological innovations and translate 
research results into new defense products; 

• Additional consideration of omitted issues, 
including attribution, rules for proper response 
to cyber attacks, and security metrics; and 
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• Proposals of novel, forward-looking ideas and 
new ways of thinking (e.g., effective cyber 
deterrence). 

It should be straightforward for future versions of 
the DoD Strategy to fill in the recommended details. 
Perhaps a greater concern is a noticeable lack of novel 
ideas. The DoD Strategy mostly deals with activities 
already in progress, which are probably not much 
different from ongoing activities in other nations. 
The DoD Strategy neglects to identify unique U.S. 
advantages and resources, and how to capitalize on 
these unique traits to maintain U.S. superiority. In the 
absence of a unique strategy, the United States may 
very well be able to build effective defensive and 
offensive capabilities, but it faces the risk of losing a 
superior advantage if other nations reach parity by 
doing the same things. 
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APPENDIX 



Several U.S. documents related to national defense 
and national security preceded the 2011 DoD Strat- 
egy for Operating in Cyberspace, as listed here. They 
place the DoD Strategy in a context of evolving ideas 
and themes. 



Date 


Document 


Major Themes Related to 
Cyber Security 


Feb. 2003 


The National Strategy to Secure 
Cyberspace {www.us-cert.gov/ 
reading room/cyberspace strategy, 
pdf) 


National cyber security 
response system; reduction 
of vulnerabilities to cyber 
attacks; cyber security 
awareness; secure 
government cyberspace; 
national and international 
cooperation. 


2004 


The National Military Strategy 
of the United States of America 
( WWW. defense, go v/ne ws/mar2005/ 
d20050318nms.pdf) 


Joint military operations 
across air, land, sea, space, 
and cyberspace domains. 


Dec. 2006 


The National Military Strategy for 
Cyberspace Operations {www.dod. 
mil/pubs/foi/joint_staff/jointStaff_ 
jointOperations/07-F-21 05doc1.pdf) 


Investment in science and 
technology; cyber workforce 
training; partnerships 
with industry and nations; 
integrate cyberspace 
capabilities across military 
operations; build capacity; 
manage cyber risks. 


2009 


DFIS National Infrastructure Protection 
Plan ( www.dhs.gov/xlibrary/assets/ 
NiPP_Pian.pdf) 


Public-private partnerships 
to address threats to critical 
infrastructures. 


Feb. 2010 


Quadrennial Defense Review Report 
( WWW. defense. gov/qdr/images/QDR 
as_of_12Feb10_1000.pdf) 


Network resilience; build 
capacity; centralization 
of cyber operations; 
international partnerships. 


May 2010 


National Security Strategy {www. 
whitehouse. go vMes/defauit/fiies/ 
rss viewer/nationai security strategy, 
pdf) 


Investment in cyber 
workforce; investment 
in technology; network 
resilience; private-public 
partnerships; international 
partnerships. 
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May 2011 



International Strategy for Cyberspace 
( vjvjw. whitehouse.gov/sites/default/ 
fiies/rss_viewer/intemationaistrategy_ 
cyberspace.pdf) 



International cooperation; 
public-private partnerships; 
network resilience; cyber 
deterrence; build capacity; 
Internet freedom. 



More visually, this list shows how previous 
strategy documents have strongly influenced the 
DoD Strategy. 



Table 1. Influence of Previous Documents. 
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